from the certainly-can-make-an-argument-that-way dept

For many years, it's been something of an open question if creating a major security or privacy vulnerability was illegal. For the most part, courts have ruled that without actual proven harm, it's difficult to show real standing for the sake of a civil lawsuit. In practical terms, this has meant that if you just introduce a massive security risk, without it directly being abused (in a way that people know about), a company's liability is fairly limited. Obviously, that could change quickly if there was an actual abuse. Not surprisingly, class action law firms still love to file these kinds of lawsuits after a major privacy/security breach just in case. So it was totally expected to see a class action firm jump in and sue Lenovo over the Superfish malware that we've been discussing for the past few days.

The folks over at CDT, however, have a very good discussion over whether or not enabling such HTTPS hijacking really is illegal. The article compares the Superfish story to the other recent story about in-flight Wi-Fi provider GoGo doing something similar, and explores whether or not these man-in-the-middle attacks run afoul of Section 5 of the FTC Act, which is the broad rules under which the FTC "protects consumers." The rules basically say companies cannot do things that are "deceptive" or "unfair," but the definitions of both of those words matters quite a bit.

Here's the exploration of whether this kind of man-in-the-middle attack is "deceptive":

At a technical level, these SSL-breaking technologies trick your browser by forging SSL certificates, implying that their service operates encrypted websites like YouTube.com and BankofAmerica.com. In fact, instead of passing encrypted traffic on to the appropriate destination, these technologies enact the previously described “man-in-the-middle attack,” gaining access to potentially sensitive information that should rightly be kept between you and, for example, your bank or health care provider. Though these practices do not directly deceive the end user, they do effectively deceive the user’s software that acts as a “user agent.” It’s not settled that this is prohibited by deceptive practices authority; in the past, the FTC has been reluctant to pursue deceptive practices cases merely on the grounds of tricking a browser: the FTC declined to pursue companies that issued bogus machine-readable P3P policies to get around Internet Explorer privacy restrictions or against companies that evaded Apple Safari’s default cookie settings in order to place third party cookies.[3] On the other hand, six state Attorneys General did bring a deceptive practices claim under their own version of Section 5 against companies that tricked Safari browsers into accepting third-party cookies.

Alternatively, the FTC could argue that failure to disclose that encrypted transmissions were being intercepted constituted a material omission — that is, failure to explain the practice would be a deceptive means to prevent a consumer from meaningfully evaluating the product. The FTC has brought a number of cases arguing that failure to disclose highly invasive or controversial practices either in a privacy policy or in clear, upfront language could constitute a deceptive practice. For instance, the FTC has found that failure to disclose access to your phone’s contact information or precise geolocation could constitute a material omission.

From what I can tell, neither Gogo nor Lenovo went out of their way to tell users about these practices. If anything, Gogo’s privacy policy would lead users to think that their SSL-protected communications were safe from eavesdropping.

For Lenovo, a post to one of its user forums says that users had to agree to the Superfish privacy policy and terms of service. I don’t know what these documents said exactly, though the Superfish documents availableon their website say nothing about these practices. Even if Lenovo had disclosed in fine print what it does, regulators could make the case that SSL interception was so controversial that permission needed to be obtained outside of a boilerplate legal agreement. A service could certainly try to make a value proposition to consumers that some feature was worth the cost of breaking web encryption – but that’s not what happened here.

What about the question of "unfair"? Apparently, the FTC prefers to use "unfair" in the cases it brings, rather than deceptive, so that is the more likely option.

In order to be “unfair” under Section 5, a business practice has to meet three criteria – it must:

If breaking encryption exposes consumers to significant security vulnerabilities, regulators will likely have a very strong case for an unfairness violation.

On causing significant harm, this seems fairly straightforward in Lenovo’s case: its partner Superfish configured its software to intercept all SSL requests — using the same decryption key across all devices. This key was easily reverse engineered soon after the story broke, meaning that any malicious attacker could use this key to intercept any encrypted communication. That’s a huge security vulnerability, and at least as concerning as several other vulnerabilities that the FTC has previously alleged to have harmed consumers. Gogo’s SSL interception also raised security concerns — it arguably inures users to security warnings and exposes them to attackers posing as Gogo’s network — but the risk is probably not as great as in the Lenovo case. The FTC has brought actions against device manufacturers in the past for weakening security; in its case against phone manufacturer HTC, the FTC alleged that badly designed software that let app developers piggyback on HTC’s access to certain phone functionality without user permission was an unfair business practice.

On the second part of the unfairness test, it’s hard to argue how these practices are avoidable by ordinary consumers. They may have clicked though legalistic agreements, but as far as we can tell, none of these documents made any disclosure about these sorts of tactics — or the vulnerabilities to which they exposed consumers. Certainly, neither Gogo nor Lenovo presented information outside of a legal document where consumers were likely to notice. As a result, consumers weren’t provided with actionable information that they could have used to avoid these problems.

Finally, it’s hard to see that the security vulnerabilities introduced by SSL-interception were outweighed by any benefits to the practice. Gogo used this tactic to block bandwidth-heavy video applications on planes with limited internet access — a worthy goal, but one better accomplished through less destructive means. Lenovo allowed its partner to break encryption in order to view private communications for targeted advertising. It is doubtful that many consumers would find this trade-off beneficial, even if it lowered prices significantly; in any event, Lenovo claims that they didn’t make much money from its deal with Superfish, and the pre-installed adware was simply designed to improve the user experience. Since exposure of these practices, both companies have backtracked and ended use of the encryption-breaking technologies.

But there's a much bigger question: will the FTC actually bother? The fact that Lenovo reacted pretty quickly to this mess probably suggests that the FTC may not bother. Yes, Lenovo's initial reaction wasn't great, but it did change its tune within less than 48 hours, and has been pretty vocal and active in apologizing and fixing things since then. That may be enough reason for the FTC to think it's not necessary to go after the company. Of course, it may feel differently about Superfish itself -- since that company still denies there's any problem and basically refuses to admit its role in this whole mess. It's still standing by its bogus statement that it did nothing wrong and claiming that Lenovo will clear things up -- even as Lenovo has clearly said otherwise.

from the finally dept

We've had a bunch of posts today (and yesterday) about the "Superfish" debacle, with a few of them focusing on Lenovo failing to recognize what a problem it was -- first denying any serious security problem, and then calling it "theoretical." It appears that Lenovo has now realized it totally screwed up and is finally saying so. Speaking to Re/code, CTO Peter Hortensius has changed his tune from the "theoretical" problem he discussed earlier:

“We messed up,” CTO Peter Hortensius told Re/code. The company now confirms that the way Superfish operates could leave machines vulnerable to a “man-in-the-middle,” or MITM, attack, in which an attacker mimics both sides of a conversation to actively eavesdrop on each one.

[....]

The company has an engineering review that made sure the tool itself didn’t store customer information and had a mechanism for users to opt out, but Lenovo missed that the way the software behaved could create a situation that left machines vulnerable to an attack.

“We should have known going in that that was the case,” Hortensius said. “We just flat-out missed it on this one, and did not appreciate the problem it was going to create.”

He later admits that the company "deserves" to take a beating for missing that. The company has also promised to publicly announce a plan for how it will make sure this sort of thing doesn't happen again.

While we called the company out for its initial terrible reaction, at least the company now seems to recognize the problems it caused and is owning up to it. It should have happened faster, but at least it's happening. Hopefully, the company is better off for it.

Of course, the same can't be said for Superfish, who insisted yesterday that Lenovo would show that there was no security risk at all, and still seems to be standing by that ridiculously wrong statement.

from the the-cleaner dept

As we've been noting, both Lenovo and Superfish have been bungling their way through the response to the fact that they introduced a massive security hole in the way that Superfish's adware/malware dealt with HTTPS protected sites (by using a self-signed root certificate that was incredibly easily hacked, allowing basically anyone to create a simple man in the middle attack). Lenovo has been going through the motions, first insisting there was no security concern, then arguing that the concerns were theoretical and then quietly deleting its statement about the lack of security problems with Superfish. It also posted some instructions on removing both the software and the root certificate, and promised to have an automated system soon.

Superfish, on the other hand, has remained almost entirely silent. It gave some reporters bland statements insisting that there was no security risk, that it "stood by" Lenovo's statement, and insisted that Lenovo would come out with a statement that showed Superfish was not responsible for any of this mess. It also insisted that the company was fully "transparent" in how its software worked, but that's clearly not the case, because nowhere do they say "we create a massive man in the middle attack just so we can insert advertising images into your HTTPS surfing." At the time of writing this, Superfish appears to have nothing on its website about all of this. Its Twitter feed's last post, from yesterday mid-day simply says that Lenovo "will be releasing detailed information at 5 p.m. EST today."

Except, it did not. That's about when it modified its original "nothing to see here" statement, with instructions on how to remove Superfish. It did not, as Superfish had previously told journalists, include a statement "with all of the specifics that clarify that there has been no wrongdoing on our end." In fact, it still looks very much like there was tremendous wrongdoing on the part of Superfish in the way it decided to implement its technologies. And that's not even getting into Superfish's sketchy history.

In the end, while Lenovo and Superfish are flailing around, it was left to Microsoft to come in and clean up the mess, pushing out a Superfish Fix to its Windows Defender product:

Microsoft just took a major step towards rooting out the Superfish bug, which exposed Lenovo users to man-in-the-middle attacks. Researchers are reporting that Windows Defender, Microsoft's onboard anti-virus software, is now actively removing the Superfish software that came pre-installed on many Lenovo computers. Additionally, Windows Defender will reset any SSL certificates that were circumvented by Superfish, restoring the system to proper working order. It's a crucial fix, as many security professionals had been struggling to find a reliable method for consistently and completely undoing the harmful effects of the bug. To make sure the fix takes effect, any Superfish-affected Windows users should update their version of Windows Defender within the program and scan as soon as possible.

Perhaps it's not surprising that Superfish is struggling to figure out how to deal with this sudden attention as a smaller company, but Lenovo should have been on top of this issue much, much faster.

from the call-it-a-twofer... dept

Thought that the revelations of NSA/GCHQ spying were dying out? Having some "surveillance fatigue" from all the stories that have been coming out? Have no fear -- or, rather, be very very very fearful -- because two big new revelations this week show just how far the NSA will go to make sure it collects everything. First up: your hard drives. Earlier this week, Kaspersky Lab revealed that the NSA (likely) has figured out ways to hide its own spyware deep in pretty much any hard drive made by the most popular hard drive manufacturers: Western Digital, Seagate and Toshiba.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

As the report notes, it appears that this is a kind of "sleeper" software, that is buried inside tons of hard drives, but only "turned on" when necessary. The report notes that it's unclear as to how the NSA was getting this software in there, but that it couldn't do it without knowing the source code of the hard drive firmware -- information that is not easily accessible. A few of the hard drive manufacturers have denied working with the government on this and/or giving them access to the firmware. It's possible they're lying/misleading -- but it's also possible that the NSA figured out other ways to get that information.

And that brings us to door number two: your mobile phone's SIM card. Today, the Intercept revealed (via the Ed Snowden documents) how the NSA and GCHQ were basically able to hack into the world's largest manufacturer of mobile phone SIM cards in order to swipe encryption keys, so that your friendly neighborhood intelligence snooper can snoop on you too:

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

The details of just how the NSA hacked into Gemalto are quite a story -- and proves what a load of crap it is when the NSA and its defenders insist that they only target bad people. As former NSA (and CIA) boss Michael Hayden recently admitted, they actually like to spy on "interesting people." And who could be more interesting than the people who have access to the encryption keys on billions of mobile phones?

So, yeah, the NSA and GCHQ basically spied on IT folks at the company until they found a way in. So, the NSA spies on "bad guys" and "IT people" for the good guys. Because, I'm sure they'll claim, it helps them get the bad guys. We've seen this before, when the GCHQ hacked into Belgian telco giant Belgacom, allowing them to tap into communications at the EU Parliament. Hacking into various companies appears to be standard operating procedures for the NSA/GCHQ these days, with no thought to the collateral damage being caused.

And, yes, both of these hacks basically involve giving the NSA an astounding amount of access to our electronic devices:

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. “Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. “The news of this key theft will send a shock wave through the security community.”

[....]

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”

Between both of these big stories this week, it's clear that the NSA is basically deeply buried in pretty much every bit of electronic equipment these days, with the tools ready to go to spy on just about anything. The idea that this power isn't being abused regularly is pretty laughable.

The GCHQ managed to pull off a bit of coup, considering the iPhone's general resistance to malware. Instead of deploying an exploit to the target's phone, the GCHQ used an "endpoint machine" (a compromised computer or other device) to harvest data from the phone whenever it connected and synced. Similar to the NSA's exploitation of ad-tracking cookies, the GCHQ's program extracted the iPhone's UDID (Unique Device Identifier) during certain interactions -- like debit card purchases or interactions with AdMob.

The Mobile Theme has invested a large amount of research into iPhone apps and metadata analysis over the last year accumulating with a detailed report done by [redacted] in October 2009 and 29 SEM rules created by ICTR-MCT These rules have used to extract iPhone metadata for a number of apps and in particular the Unique Device Identifier (UDID) from any carrier being processed using DEBIT CARDs. Further TDI rules are being developed by GTE that will in the future extract UDID events from carriers processed through the MVR system. The resulting events have then been used to populate both research and corporate QFDs (Query Focused Datasets) such as MUTANT BROTH and AUTOASSOC and will eventually form the basis of mobile correlations in HARD ASSOC.

The end result of this proxy exploit? A ton of data and communications.

The document notes that this limited deployment resulted in the acquisition of three targets for the NSA, in addition to a number of UDIDs passed on to GCHQ's Tailored Access Operations, presumably in order to push further exploits to the phones at syncing.

Unfortunately, further information isn't forthcoming as the accompanying guidance document -- the inadvertently hilariously-titled "Good Penetration Guide" -- has not been made public.

One particular case was a [redacted] target, [redacted] with yahoo selector that was seen active on a iPhone OS 3_1_2, as shown in Figure 8. The resulting Yahoo-B cookie is [redacted] and as can be seen the target has been active off [redacted]. Running the resulting Yahoo-cookie through MUTANT BROTH resulted in 171 events primarily on case notations GWUKGOOS, and IRUKCO36. The resulting information was then forwarded to the in the [redacted] team for tasking by the standard CNE process as outlined in the Good Penetration Guide.

The document is dated November 2010. Apple began phasing out the UDID system the next year and finally banned app developers from integrating this deprecated identifier into their apps in May of 2013. Considering the dates involved, the GCHQ had at least a two-year window where the end machine exploit provided access to data and content. (Apple began its deprecation of the identifier in 2012.)

Considering this collection was killed off by the unaware company along with its UDID system, the GCHQ is obviously on board with UK Prime Minister David Cameron's call to forbid the sort of encryption Apple is making available by default. No one likes to see a source dry up, especially one utilizing devices historically resistant to outside exploitation.

from the not-really-'global'-when-it's-just-the-Five-Eyes-then,-is-it? dept

Who's going to let you know your communications and data have been compromised by state entities? Well, it seems to depend on who the state entity is. When it's a non-'Five Eyes' country involved, there's usually no hesitation. But the recent exposure of Regin malware's NSA/GCHQ origins (which both agencies deny originates with them despite leaked documents to the contrary) came belatedly, confirming details revealed more than a year ago. The malware appears to date back nearly a decade and yet, there has been little said about it over that period of time.

Symantec's [Vikram]Thakur said that they had been investigating Regin since last year, but only felt "comfortable" publishing details of it now.

[Costen] Raiu, the researcher from Kaspersky, said they had been tracking Regin for "several years" but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.

For [Ronald] Prins [of Fox IT], the reason is completely different.

"We didn't want to interfere with NSA/GCHQ operations," he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to "global security."

And so it goes. Everyone had the same suspicion as to who was behind the malware, but everyone sat on it, hoping someone else would make the first move. The NSA and GCHQ may deny their involvement, but the list of countries with verified Regin infections notably does not include any of the "Five Eyes" countries. Microsoft -- whose software the malware was disguised as -- has refused to comment.

It's no surprise that companies like Microsoft are in no hurry to divulge findings about state-run malware, at least not if it involves governments it has large contracts with. But security researchers shouldn't be acting as flacks for intelligence agencies, even if only committing sins of omission. As the ACLU's chief technologist pointed out, there's no faster way to "destroy" your company's reputation as a "provider of trustworthy security consulting services." Who's going to want to hire someone that won't tell you your data and communications are compromised until it feels it's "safe" to do so?

We already know that any security holes discovered (or purchased) by intelligence agencies won't be turned over to affected companies until they've been fully exploited. We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead. But security researchers shouldn't be withholding details on sophisticated malware out of deference to the intelligence agencies it believes are behind it.

At this point, we have a security ecosystem greatly skewed towards the exploitation of flaws and the distribution of malware, rather than the other way around. There's an entire industry that does nothing but find exploits and sell them to intelligence agencies -- only distinguishable from criminal enterprises by their clientele. Being silently complicit in these exploits may prevent operations from being compromised (and seems to confirm that Fox IT reached the same conclusion about the malware's origin as others), but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world.

from the im-in-ur-internet-stealing-ur-files dept

Complex malware known as Regin is the suspected technology behind sophisticated cyberattacks conducted by U.S. and British intelligence agencies on the European Union and a Belgian telecommunications company, according to security industry sources and technical analysis conducted by The Intercept.

Behind the malware -- which disguised itself as Microsoft drivers and was served via malicious, fake LinkedIn pages -- lies a cooperative effort between the NSA and GCHQ. Belgacom has long since ousted the intruding software and is now working with a federal prosecutor to pursue a criminal investigation. Belgacom's subversion by this malware -- comparable in sophistication to the infamous Stuxnet, according to Symantec (which published its findings last Sunday) -- led to the breach of EU offices.

Spying on foreign governments is what intelligence agencies are expected to do. But dumping malware into the operating systems of a communications provider generally isn't. Belgacom's infection is the only verified incident so far, but there are likely many, many more considering the Regin malware traces back nearly ten years.

Based on an analysis of the malware samples, Regin appears to have been developed over the course of more than a decade; The Intercept has identified traces of its components dating back as far as 2003. Regin was mentioned at a recent Hack.lu conference in Luxembourg, and Symantec’s report on Sunday said the firm had identified Regin on infected systems operated by private companies, government entities, and research institutes in countries such as Russia, Saudi Arabia, Mexico, Ireland, Belgium, and Iran.

GCHQ has issued boilerplate in response to The Intercept's request for a comment. The NSA, on the other hand, apparently isn't going to dignify this story with a non-denial denial, opting instead for something much more brusque:

“We are not going to comment on The Intercept’s speculation.”

What's currently out there in the wild may not be as effective anymore. Belgacom discovered its infection around June 21, 2013, about a week before Der Spiegel published Snowden documents pointing to the digital infiltration of EU offices. The Intercept has made the malware available for download and states the following in its article.

Given that that it has been over a year since the Belgacom operation was publicly outed, The Intercept considers it likely that the GCHQ/NSA has replaced their toolkit and no current operations will be affected by the publication of these samples.

If so, then the two agencies involved have likely moved on to something better and less detectable. Being outed is no reason to stop spying, especially in other nations where legal protections range from "thin" to "nonexistent."

from the consequences dept

For years and years, the legacy entertainment industry players insisted that if only Google would censor results so they showed what the legacy entertainment companies wanted -- instead of what users actually wanted -- unauthorized downloading would magically decrease. There was little evidence to support this, but with increasing pressure and threats of either litigation or legislation, Google caved back in 2012, promising to "downrank" sites that get a lot of DMCA notices. We had warned that, contrary to popular opinion from the legacy entertainment industry, it's not nearly as easy as they think to do this. And, of course, months later, the RIAA was complaining that Google's new rankings weren't good enough, and the MPAA joined in soon after.

Last month, Google announced even more significant changes in its effort to appease the legacy entertainment industry and to "fight piracy." This included a big adjustment to how it downranks sites based on DMCA filings. Apparently, the change pretty quickly resulted in popular torrent sites nearly disappearing from Google's index. Of course, as The Pirate Bay pointed out in response, this change actually meant that it got more direct traffic, since people unable to find what they wanted via Google knew to just go somewhere else instead.

While the sites mentioned above are offering torrents and clearly benefiting traffic-wise, we have deliberately left out several sites from our report. Thanks to their lack of DMCA breaches some sites are much closer to the top than they should be when Google is presented with movie + torrent searches. Sadly these sites have something evil in mind – malware.

Hollywood might publicly warn that some file-sharing sites are havens for viruses and spyware, but Google’s actions have dredged up the real filth from the bottom and that will mean a lot of people paying the price. Having these sites downranked is not on the agenda.

For years, of course, one of the go-to talking points for Hollywood was that engaging in unauthorized downloading would lead to malware -- and it's a talking point that never goes away. The thinking of Hollywood is that (1) this may scare some people away from file sharing and (2) they can claim to the press and politicians that they're looking out for the safety of the public with their policy recommendations.

Except... in this case, it appears that it's their own silly demands to rewrite Google's search results that are actually putting more people at risk and driving more people to potential malware. Even if there was some malware on top sites, it was usually spotted and dealt with quickly, and rarely would get popular enough to be highly ranked. But by taking out the more accurate results, malware-laden efforts are suddenly able to rise up the rankings.

If the RIAA/MPAA were truly concerned about stopping malware, they'd recognize that their own demands to edit Google's search results have put people more at risk. But they won't, of course. Just like everything else, they'll likely blame Google and say that Google should figure out a way to fix this.

But here's the thing: this is what's bound to happen when someone wants to edit Google's results to what they want them to be, rather than what users want. This is the fundamental misunderstanding of the legacy entertainment industry in their hatred of Google. They think it's a search engine for the sites it finds, rather than a search engine for the users looking for stuff. It's a fundamental difference that makes all the difference in the world.

from the a-free-(and-exploitable)-press dept

Spend enough time staring at redacted documents liberated from secretive government agencies and you're bound to miss a thing or two on the first pass. Chris Soghoian, technologist for the ACLU was browsing through some FBI documents [pdf link] obtained by the EFF and came across this:

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News...

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

The court documents didn't detail how the FBI managed to install the weaponized payload on Glazebook's computer. The emails obtained by the EFF, however, expose the electronic paper trail.

The CIPAV (Computer and Internet Protocol Address Verifier) made its way to Glazebrook's system via a Myspace message sent by the FBI… which was impersonating the Seattle Times.

"The ends don't justify the means. I'm not saying that the FBI shouldn't be investigating people who threaten to bomb schools. But impersonating the media is a really dangerous line to cross."

The Seattle Times isn't too happy, either. Editor Kathy Best says the paper is now "seeking answers" from the FBI. Best's full statement on behalf of the Times is short, but deeply critical of the agency's actions.

We, like you, just learned of this and are seeking answers ourselves from the FBI and the U.S. Attorney’s office.

But we are outraged that the FBI misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect. Not only does that cross the line, it erases it.

Our reputation—and our ability to do our job as a government watchdog—is based on trust. And nothing is more fundamental to that trust than our independence from law enforcement, from government, from corporations and from all other special interests. The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.

The FBI has already responded (somewhat) to Best's statement, deploying the usual deferrals to public safety and agency investigatory procedures.

“Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University. We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting. Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat. We were fortunate that information provided by the public gave us the opportunity to step in to a potentially dangerous situation before it was too late.”

TL; DR: The public should be counting its blessings rather than examining our questionable methods.

Taken at face value, Special Agent Frank Montoya Jr. is basically saying that the FBI will abuse its power (and the reputations of others) whenever it determines such methods to be necessary to achieve its goals. Not really a comforting idea at all, and one that basically confirms Soghoian's suspicions: the ends will be used to justify the means, no matter how potentially damaging the means are.

from the say-what? dept

Okay, so we thought the response from San Diego's District Attorney Bonnie Dumanis was pretty bad to the revelations about ComputerCOP. After all, she was responding to the news that she had purchased and distributed dangerous spyware masquerading as software to "protect the children" -- and the best she could come up with was that her "security" people still thought it would protect kids? But apparently Damanis has nothing on Sheriff Mike Blakely of Limestone County, Alabama.

Blakely, in a bit of unfortunate timing, just announced that his department had purchased 5,000 copies of the spyware earlier this week, so perhaps it's understandable that this "perfect election and fundraising tool" might actually turn into something of a liability. But Blakely's not going down without a fight. When presented with the news that he's proudly handing out tools that are making the children he's supposed to be protecting less safe, Blakely went with an ad hom the messenger approach, attacking EFF's credibility, and calling them "liberals."

Blakely referred to the EFF criticism politics as an "Ultra-liberal organization that is not in any way credible on this. They're more interested in protecting predators and pedophiles than in protecting our children."

Anyone even remotely familiar with EFF recognizes that basically every word in that statement is ridiculous, but what are you going to do? The idea that EFF isn't credible on security issues is laugh out loud funny (and, indeed, despite attending a conference and being in a room full of people, I literally laughed out loud upon reading it). However, Blakely insists his IT people are sure the software's fine:

"We have had the key logger checked out with our IT people. They have run it on our computer system." He said. "There is no malware."

Reread that a few times. "We had the key logger checked out... there is no malware." Dude. A keylogger is malware. That's what it does. From the description here, it sounds like his "IT people" ran some anti-malware software on the computer they installed ComputerCOP on, and because it didn't flag it, they insist it's not malware. But a keylogger is malware by definition. And the fact that this malware happens to pass unencrypted text, including passwords and credit card numbers, over the internet makes it really, really bad.

But don't tell that to Sheriff Blakely. He insists that ComputerCOP might have stopped Columbine. I'm not joking.

On the phone Wednesday he added "There are some parents out in Columbine Colorado, if they had this kind of software, things would have turned out differently."

That comment is so off it defies a coherent response.

Meanwhile, I'm sure that Sheriff Blakely's "IT People" are trustworthy, given that his website looks like it was designed in 1997 and hasn't been touched since. It even has a visitor counter and a "this site best viewed in Internet Explorer" badge. I'm not joking. And a scroll. The only thing it's missing is an under construction gif and the blink tag:

And, uh, note that text there:

You are not permitted to copy, broadcast, download, store (in any medium), transmit, show or play in public, adapt or change in any way, the content of these web pages for any other purpose whatsoever without the prior written permission of the site webmaster.

And there's a copyright notice below it. Of course, anyone who views the website has copied, downloaded, stored and transmitted the webpage in some manner -- so, I'm not quite sure what to do other than to say, that most of those demands are completely bogus and not based on any actual law. As for the copyright -- well, while technically only federal government works are exempt from copyright, and state and local governments can get a copyright in some fashion, it's generally not considered the appropriate role of government officials to be copyrighting official government works. Furthermore, in such cases, there would likely be a very strong presumption of fair use for a whole host of reasons.

The unauthorized use, copy, or reproduction of any content of this site inclusive, may be punishable by both fine and imprisonment.

Under what legal theory is that happening? As a sheriff, aren't you supposed to, you know, actually know what the law is? Maybe work on that before slamming the good folks at EFF while distributing dangerous spyware that makes kids less safe. And find someone who's built a website in the last decade.